1

I am testing an assembly program that is compiled by flatassembler, and it needs to modify the import table, so when I run objdump I can see which external functions the program is trying to call.

So, I start off with:

format PE GUI
section '.flat' readable writeable executable

It is calling some functions in MS dlls, but the import table is wrong.

Here is a simple part showing how I am including two dlls and a function:

;user32

    _MessageBoxA           dw $0

                   db 'MessageBoxA', $0

    kernel32_name db 'kernel32.dll', $0

    user32_name   db 'user32.dll', $0

What must be done in an assembly program to have the external functions show up in the import table?

James Black
  • 41,583
  • 10
  • 86
  • 166
  • What are you doing? Modifying the import table of a program with a program written in assembly, or importing functions into a program written in assembly? – harold Mar 19 '13 at 15:15
  • Modifying the import table of a program written in assembly. – James Black Mar 19 '13 at 15:28
  • Ok, well fasm has `library` and `import` directives, they're probably related. If you want to do them manually, have a look at this graphic: http://i.imgur.com/pHjcI.png there is more structure to the import table than you're using here, notably pointers (well, RVA's) to the strings. – harold Mar 19 '13 at 15:55
  • @harold - If you can turn this into an answer I will accept it. The image is great. Thank you. – James Black Mar 19 '13 at 18:10
  • It's actually not ideal IMO - when I first saw it it gave me the impression that every import need its own descriptor, when really a descriptor points to an array of imports from that dll. So I can post a better answer than just that image, will take a few moments. – harold Mar 19 '13 at 18:14

1 Answers1

1

The import table is a 0-terminated array of import descriptors, the Import Directory fields in the Data Directories of the header points to the first item.

struct ImportDescriptor   // size = 20 bytes
{
    dword ILTRVA;         // RVA to Import Lookup Table
    dword Timestamp;      // you can usually ignore
    dword ForwarderChain; // these two
    dword DllNameRVA;     // RVA to 0-terminated dll name
    dword IATRVA          // RVA to Import Address Table
}

The ILT and IAT should be different locations but copies of each other (not necessarily, but that's a normal thing to do). The IAT is the one that will hold the pointers to imported functions. They're both 0-terminated arrays of RVA's to function names. The function names consist of a "hint" word and a 0-terminated ascii string. The hint word can be zero, or the actual index of that function in the export table of the DLL it's from, or some random value, it's just a hint.

harold
  • 61,398
  • 6
  • 86
  • 164